summaryrefslogtreecommitdiff
path: root/sbin/iked/ca.c
AgeCommit message (Expand)Author
2022-07-08Support sending certificate chains with intermediate CAs in multiple CERTTobias Heider
2021-12-14Move raw pubkey bytes to EVP_PKEY conversion to common function.Tobias Heider
2021-12-13Fix asprintf() error check. Portable code should check the returnTheo Buehler
2021-12-13Fix a few leaks due to X509_NAME_oneline(name, NULL, 0) dynamicallyTheo Buehler
2021-12-13Cleanup libcrypto memory management. Remove redundant NULL checksTobias Heider
2021-12-08The /etc/iked/certs/ directory is used for both local and peerTobias Heider
2021-12-07Fix locally stored peer certificates in /etc/iked/certs as documented inTobias Heider
2021-12-01whitespace cleanup during review readTheo de Raadt
2021-11-25Silence unitialized variable warnings.Tobias Heider
2021-11-21Add 'ikectl show certinfo' to show trusted CAs and certificates.Tobias Heider
2021-02-24Use ASN1_STRING_get0_data() instead of the deprecated ASN1_STRING_data().tobhe
2021-02-07Free X509_STOREs in ca_shutdown().tobhe
2021-02-04Upgrade to OpenSSL 1.1 compatible crypto API. Add additionaltobhe
2020-12-05Make len unsigned.tobhe
2020-11-04Add check for static id size.tobhe
2020-10-09More unused headers.tobhe
2020-10-09Remove unused "wait.h" includes.tobhe
2020-09-23Add new 'set cert_partial_chain' config option to allow verification oftobhe
2020-09-08Fix auth method negotiation for IKEV2_CERT_X509_CERT. If a cert matchingtobhe
2020-08-21Use trusted CA from /etc/iked/ca/ as OCSP issuer to get rid oftobhe
2020-08-18Add optional time-stamp validaten for ocsp. The new optional 'tolerate'tobhe
2020-08-16Clean up unused parameters.tobhe
2020-08-14Clean up unused variables.tobhe
2020-07-27Fix return value check for openssl API used during pubkey validation.tobhe
2020-07-15Make CERT and CERTREQ payloads optional for public key authentication.tobhe
2020-06-25Silence ca_validate_pubkey() error message for cert typetobhe
2020-06-17Fix length check in ca_getreq().tobhe
2020-05-08Remove unneccessary X509_NAME_oneline wrapper. Passing NULL as buftobhe
2020-04-12"could not open public key" is an error and should be log_info.tobhe
2020-04-10Only make the type part of the idstring lowercase when looking for certs intobhe
2020-04-08Prevent multiple ibuf leaks. Clean up on proccess shutdown.tobhe
2020-04-07Always prefer generic signature authentication (RFC 7427) , not just for RSA.tobhe
2020-04-06Fix pubkey leak in CA process for ASN1_DN IDs.tobhe
2020-04-01Properly handle multiple CERTREQ payloads in CA process. Only for thetobhe
2020-03-31Log summary of certificates in cert store when iked fails to find atobhe
2020-03-27Adjust cert type when choosing public key fallback.tobhe
2020-03-24Add ikev2_print_static_id() to print static IDs in log_debug() output.tobhe
2020-03-24Make our CERTREQ payload handling less strict. If we can not find atobhe
2020-01-15Support multiple x509 extensions and extensions with multipletobhe
2020-01-15If we don't find a certificate signed by a trusted CAtobhe
2019-07-03snprintf/vsnprintf return < 0 on error, rather than -1.Theo de Raadt
2019-02-27update RFC references, from tobias_heider at genua.de, ok claudio@Stuart Henderson
2017-10-30In the subjectAltName comparison, the bzero before the while-loop wasPatrick Wildt
2017-10-27Support multiple subjectAltNames by trying each existing until therePatrick Wildt
2017-03-28Add helpful debug messages to tell us why public key authentication failed.Reyk Floeter
2017-03-27Add support for RFC4754 (ECDSA) and RFC7427 authentication.Reyk Floeter
2017-01-20Make sure to free reference to the public key after decodingMike Belopuhov
2017-01-03Fix pledge of the ca process by calling the right function on startup.Reyk Floeter
2015-12-07Sync proc.c, use shorter proc_compose[v]()Reyk Floeter
2015-10-22iked hereby pledges that it will run with restricted systemReyk Floeter